[all-commits] [llvm/llvm-project] 3c06ec: [instcombine] Fix oss-fuzz 39934 (mul matcher can ...

Philip Reames via All-commits all-commits at lists.llvm.org
Sun Oct 24 14:42:37 PDT 2021 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 3c06ecaa1e8d0267fe67c1e5c8fa5f294de2aab8
      https://github.com/llvm/llvm-project/commit/3c06ecaa1e8d0267fe67c1e5c8fa5f294de2aab8
  Author: Philip Reames <listmail at philipreames.com>
  Date:   2021-10-24 (Sun, 24 Oct 2021)

  Changed paths:
    M llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
    M llvm/test/Transforms/InstCombine/icmp-mul.ll

  Log Message:
  -----------
  [instcombine] Fix oss-fuzz 39934 (mul matcher can match non-instruction)

Fixes a crash observed by oss-fuzz in 39934.  Issue at hand is that code expects a pattern match on m_Mul to imply the operand is a mul instruction, however mul constexprs are also valid here.


  Commit: a461fa64bb37cffd73f683c74f6b0780379fc2ca
      https://github.com/llvm/llvm-project/commit/a461fa64bb37cffd73f683c74f6b0780379fc2ca
  Author: Philip Reames <listmail at philipreames.com>
  Date:   2021-10-24 (Sun, 24 Oct 2021)

  Changed paths:
    M llvm/lib/Analysis/ValueTracking.cpp

  Log Message:
  -----------
  Treat branch on poison as immediate UB (under an off by default flag)

The LangRef clearly states that branching on a undef or poison value is immediate undefined behavior, but historically, we have not been consistent about implementing that interpretation in the optimizer. Historically, we used (in some cases) a more relaxed model which essentially looked for provable UB along both paths which was control dependent on the condition. However, we've never been 100% consistent here. For instance SCEV uses the strong model for increments which form AddRecs (and only addrecs).

At the moment, the last big blocker for finally making this switch is enabling the fix landed in D106041. Loop unswitching (in it's classic form) is incorrect as it creates many "branch on poisons" when unswitching conditions originally unreachable within the loop.

This change adds a flag to value tracking which allows to easily test the optimization potential of treating branch on poison as immediate UB. It's intended to help ease work on getting us finally through this transition and avoid multiple independent rediscovers of the same issues.

Differential Revision: https://reviews.llvm.org/D112026


Compare: https://github.com/llvm/llvm-project/compare/850217686e21...a461fa64bb37

More information about the All-commits mailing list